High speed random number generator

ABSTRACT

Physical random number generator, characterized in that it comprises a logic circuit ( 10 ) comprising at least a data input (D) and a clock input (CLK), the data input (D) receiving a first clock signal and the clock input (CLK) receiving a second clock signal different from the first one; and in that the two clock signals of different frequencies are respectively issued by two different oscillators (OSC 1  and OSC 2 ) operating asynchronously from one another and not adhering to the setup time of the logic circuit ( 10 ), the output of the circuit ( 10 ) delivering a signal in an intermediate state between “0” and “1,” qualified as metastable and being constituted by a random number sequence.

[0001] The present invention is in the field of encryption, and more specifically concerns a hardware solution for the implementation of a random number generator designed especially for generating encryption keys.

[0002] The increased need for performance in cryptography combined with the need for inviolability has led the manufacturers of security systems to favor hardware solutions that are increasingly high-performance in terms of speed and random number quality.

[0003] The generator according to the invention, also called a random generator, can be associated with an additional PCI (Peripheral Component Interconnect) card for accelerating the cryptographic functions of a machine (server or station).

[0004] A card of this type coupled with a server constitutes the hardware security element of the machine.

[0005] There are two types of random number generators used in electronics.

[0006] The first type of generator is based on a random physical phenomenon such as thermal noise in a diode, radioactive emission, etc. It is called a “physical generator” in the description below.

[0007] The second type of generator is based on an algorithm fed with a “germ,” defined below, which produces as output a random number sequence with a relatively long period. It is called a “pseudo-random generator” in the description below.

[0008] A long period associated with a germ of high quality, in terms of random number quality, produces as output from a generator of this type a series of numbers that are practically unpredictable.

[0009] Physical generators are of course the only real sources of random numbers since they are completely unpredictable, but many of them are not free from correlations at the output level.

[0010] Furthermore, their speed is generally somewhat slow, on the order of several tens of kilobits per second.

[0011] Pseudo-random generators are simple to implement in software form and make it possible to supply a high random number output, on the order of several tens of megabits per second.

[0012] However, this type of generator corresponds to a deterministic process and is therefore predictable.

[0013] The quality of a random generator is difficult to assess because there is no official and standardized procedure that makes it possible to verify the more or less random nature of a series of numbers.

[0014] However, there are two series of tests for “validating” a generator of this type.

[0015] The first series of tests, called FIPS140 tests, is described in the document FIPS140-1 entitled “Security Requirements for Cryptographic Modules” issued by the American organization NIST. These tests constitute the minimum requirements for any security component wishing to claim the label “FIPS140-compliant,” one of the objectives of the present invention.

[0016] The second series of tests, developed by George Marsaglia and called DIEHARD tests, are much tougher than the FIPS tests and confer on any generator that passes all of them successfully a certain recognized level of quality.

[0017] These two series of tests are included in annexes to the present specification.

[0018] It is the specific object of the invention to eliminate the aforementioned drawbacks and to make it possible to do without a specific physical circuit such as a noise diode, while meeting the dual requirement of high speed, faster than 100 Mbits/s, and a very high quality of random numbers supplied a quality measured by the fact that the generator must successfully pass the above-mentioned FIPS140 and DIEHARD series of tests.

[0019] A high-speed random number generator (1) comprising a physical random number generator (5), and whose data input corresponds to the data input of the physical generator (5), and a pseudo-random generator (6) coupled to the output of the physical generator (5) that receives through its input a germ delivered by the physical generator, said physical generator (5) comprising a logic circuit (10) that includes at least a data input (D) and a clock input (CLK), the data input (D) receiving a “high frequency” clock signal H1 and the clock input (CLK) receiving a second, “low frequency” clock signal H2, the “high frequency” signal H1 being sampled by the “low frequency” signal H2, the two clock signals H1 and H2 of different frequencies respectively issuing from two different oscillators (OSC1 and OSC2) operating asynchronously from one another and not adhering to the setup time of the logic circuit (10), the output of the circuit (10) delivering a signal in an intermediate state qualified as metastable between “0” and “1” and being constituted by a random number sequence, the metastability of the signal obtained as output from the circuit (1.0) being accentuated by the phase noise of the oscillator (OSC1) generating the “high frequency” signal H1, said random number generator (1) being characterized in that the pseudo-random generator (6) re-injects part of its pseudo-random output signal into the physical generator (5) and in that it includes an internal memory (9) that stores the random numbers obtained as output from the pseudo-random generator (6); the two generators (5) and (6) running on the same second “high frequency” clock signal H generated by an external oscillator (7).

[0020] The second subject of the invention is a mechanism for generating random numbers on demand, characterized in that it comprises a random number generator as defined above, a dual-port memory including a receiving buffer, coupled to the output of the generator via the bus of the generator, and in that it includes a microprocessor coupled to the dual-port memory via the microprocessor bus, communicating with the generator via the dual-port memory and posting in the dual-port memory a command word comprising an address and a count containing a maximum number of random words to be stored, and in that the buffer of the dual-port memory, at the request of the microprocessor, is fed by the internal memory of the generator until a count corresponding to a given maximum number of random numbers has elapsed, then utilized by the microprocessor.

[0021] Lastly, the third subject of the invention is a card for accelerating the cryptographic functions of a computing machine, characterized in that it supports a random number generator or a mechanism like those defined above.

[0022] The invention has the advantage of not using standard electronic circuits to produce the “physical” generator, and hence of reducing the complexity and the cost of such a generator.

[0023] Other advantages and characteristics of the present invention will emerge through the reading of the following description given in reference to the attached figures, which represent:

[0024] in FIG. 1, the general principle of a mechanism for generating random numbers on demand, into which a random generator according to the invention has been inserted;

[0025] in FIG. 2, the block diagram of a random generator according to the invention;

[0026] in FIG. 3, a latch that receives through its inputs the respective clock signals generated by two oscillators of different frequencies, and that serves to illustrate the phenomenon of metastability;

[0027] in FIGS. 4 and 4b, the respective timing diagrams of the signals injected into the inputs of the latch of FIG. 3;

[0028] in FIG. 4c, the timing diagram of the signal output from the latch; and

[0029] in FIG. 5, the block diagram of a physical generator according to the invention.

[0030] The general principle of a random number generating mechanism into which the generator according to the invention has been inserted is illustrated in FIG. 1.

[0031] In this figure, the links without arrows are two-way.

[0032] The mechanism is delimited in the figure by an enclosing broken line, which could also delimit a PDI card, mentioned above, that supports the mechanism.

[0033] The random generator 1 is produced from a programmable logic machine, implemented in a programmable electronic component called FPGA, for “Field Programmable Gate Array,” and which, under the control of a microprocessor 2, at the request of the latter, delivers random numbers at a high speed (D>100 Mbits/s).

[0034] These random numbers are used by various algorithms, and more particularly by encryption algorithms to generate encryption keys.

[0035] A dual-port memory of the DMA (Direct Memory Access) type, is coupled to the output of the random generator 1 via the bus of the generator.

[0036] The microprocessor 2 is coupled to the dual-port memory via the microprocessor bus.

[0037] It communicates with the generator 1 via the dual-port memory 3, which allows the exchange of data and commands/statuses between the random generator 1 and the PCI bus of the machine to which the card is connected, via a PCI interface 4.

[0038] The microprocessor 2 posts in the dual-port memory a command word comprising only an address and a count.

[0039] The address points to a receiving buffer 3 ₁ of the dual-port memory 3, in which the generator 1 stores the random words.

[0040] The count itself sets the number of random words requested from the generator 1, with a maximum capacity, for example 32 Kbytes.

[0041] The microprocessor 2 then sends an activating command of the “chip select” type to the generator 1, which reads the command word in the dual-port memory 3 and executes it.

[0042] The words generated are then stored in the receiving buffer 3 ₁ indicated by the microprocessor 2, until the maximum capacity of the count has elapsed.

[0043] The logic machine of the random generator 1 then sends an interrupt command “interrupt” to the microprocessor 2, which tells it that the buffer 3 ₁ containing the results is available for reading.

[0044] The block diagram of a random generator according to the invention is illustrated in FIG. 2.

[0045] It essentially comprises two stages 5 and 6.

[0046] The first stage 5 comprises a “physical” generator and the second stage 6, coupled to the first, comprises a “pseudo-random” generator.

[0047] The “physical” generator is a random number generator based on the physical phenomena of metastability and phase noise from oscillators of different frequencies.

[0048] The physical generator 5 supplies the pseudo-random generator 6 with a random germ that is high-quality in the sense that it satisfies the FIPS140 tests and also has a speed on the order of 10 Kbits/s/ The “pseudo-random” generator 6, based on the germ received from the physical generator 5, implements an algorithm of the multiply-with-carry type, which has very high speed since it is implemented directly in hardware, and also satisfies both of the series of tests introduced above and described in detail in the annexes.

[0049] In the embodiment described, the two generators 5 and 6 run at the rate of an external clock 7 that generates a first “high frequency” clock signal H with a frequency equal to 25 MHz.

[0050] An oscillator 8 delivers a second “high frequency” signal H1 with a frequency equal to 33 MHz, which constitutes the input signal of the physical generator 5.

[0051] An internal memory 9 of the FIFO (“First In First Out”) type is coupled to the output of the pseudo-random generator 6.

[0052] The FIFO memory 9 is used to store the random number resulting from the operation performed by the two generators 5 and 6 while waiting for the microprocessor 2 to request their transfer to the dual-port memory 3.

[0053] The physical generator according to the invention uses the so-called metastability phenomenon, the principle of which is explained in detail below in reference to FIGS. 3 and 4a through 4 c.

[0054] When two oscillators OSC1 and OSC2 of different frequencies operate asynchronously from one another, they each generate a separate clock signal, and the signals synchronized with these clock signals belong to separate clock domains that are theoretically independent from the functional point of view. However, there is a moment at which signals are exchanged between the two domains. This situation is a handicap in any design in which it occurs, since it leads to the phenomenon of metastability.

[0055] The signals issued by different clock domains do not adhere to the “setup” times of the memory elements (latches or registers) of the other domain, causing the outputs of these elements to have random values.

[0056]FIG. 3 represents a latch that respectively receives in its input D and in its clock input, the clock signals H1 and H2, respectively generated by the oscillators OSC1 and OSC2.

[0057]FIGS. 4a and 4 b respectively illustrate exemplary timing diagrams corresponding to the two clock signals.

[0058]FIG. 4c illustrates a timing diagram corresponding to the output signal Q of the latch.

[0059] The output of a latch whose “setup” has been violated remains in an intermediate state between the “0” state and the “1” state that is qualified as metastable, prior to stabilizing in the final state “0” or “1”.

[0060] In general, this problem is handled by placing two latches in series, one behind the other, in order to prevent the propagation of this undesirable random event.

[0061] On the contrary, this metastability is exploited by the present invention and its occurrence is accentuated by the utilization of two oscillators of very different frequencies.

[0062] Preferably, a “high frequency” signal H1 and a “low frequency” signal H2 are thus chosen.

[0063] The “high frequency” signal H1 is sampled by the “low frequency” signal H2.

[0064] The desired phenomenon is thus accentuated by two physical phenomena:

[0065] the phase noise generated by the “high frequency” oscillator; and

[0066] the forced variability of the period of the “low frequency” oscillator caused by using some of the bits output from the pseudo-random generator in the dividing counter used to generate this frequency. A factor of variable shape is thus obtained.

[0067]FIG. 5 illustrates the block diagram of a physical generator 5 according to the invention, in which the latch 10, described in reference to FIG. 3 in order to explain metastability, is located.

[0068] The input module of the physical generator 5 is a counter 11 that divides by 1312.

[0069] It is fed with an external clock signal H having a frequency equal to 25 MHz, and generates as output a “low frequency” clock signal H2 that samples the “high frequency” input clock signal of the generator 5 having a frequency equal to 33 MHz.

[0070] The clock signal H2 is injected into the clock input CLK of the latch 10, and the signal H1 is injected into the input D of the latch 10.

[0071] The output signal, obtained at the output Q of the latch 10, is combined in an “exclusive OR” logic circuit 12 with a bit output from the pseudo-random generator 6 and sent to the input D of a 64-bit shift register referenced 13.

[0072] The logic circuit 12 thus makes it possible to compensate for a possible failure of the physical generator 5.

[0073] The shift register 13 reshapes the signal issued by the latch 10.

[0074] In the embodiment described, it generates two random 32-bit words every 32×100·s, or about 3.2 ms.

[0075] These two words constitute the “germ” used by the pseudo-random generator 6 described below.

[0076] In order to specifically meet the constraints of the DIEHARD series of tests, the renewal of the germ is typically performed every 100 million bits.

[0077] Thus, a 3750 counter, 14, generates a LEN (Load Enable) signal, which actually loads a new germ into the pseudo-random generator 6 approximately every 375 ms.

[0078] The physical generator 5 also includes a test module 15 comprising two counters and a comparator, not represented.

[0079] The two counters respectively receive as input the two clock signals H and H1, respectively of 25 MHz and 33 MHz, and their outputs feed the comparator, and generate an error signal in case of an abnormality (sticking) of the 33 MHz clock signal whose signal is used as the external “high frequency” signal H1.

[0080] This test makes it possible to continuously verify that the value of the signal used to generate the random germ is not stuck at “0” or at “1.”

[0081] In case of sticking, the error signal invalidates the final output of the physical generator 5 by forcing the writing of zeros into the internal memory 9.

[0082] The pseudo-random generator 6 is the multiply-with-carry type.

[0083] It is particularly suited to the implementation of a generator according to the invention because of the rapidity of execution of its algorithm, but it is not the only one that can be used by the pseudo-random generator.

[0084] The algorithm is expressed in the following way:

[0085] X:=(A * X(15:0))+X(31:16);

[0086] Y:=(B * Y(15:0))+Y(31:16);

[0087] PRN(31:16)<=X(15:0);

[0088] PRN(15:0)<=Y(15:0);

[0089] where X and Y are 32-bit variables initialized with the germ described above, A and B are 16-bit constants and PRN corresponds to a 32-bit word delivered as output from the pseudo-random generator 6.

[0090] The word PRN is sent to the internal memory 9 of the random generator 1 at the rate of one 32-bit word every 120 ns, or at a global rate of 266 Mbits/s.

[0091] The output from the internal memory 9 coupled with the dual port memory 3 feeds the receiving buffer of the dual port memory 3.

[0092] The reading of the internal memory 9 takes place at the rate of one 32-bit word every 30 ns, in order not to slow down the internal speed of the random generator 1, even when there is a conflict for access to the dual-port memory 3.

[0093] In conclusion, the present invention meets two objectives.

[0094] The first objective is to produce a compact hardware implementation of a random number generator that is made entirely from standard components that do not use any specific noise generating components, and that can be supported by a PCI card for accelerating the cryptographic resources of a computing machine.

[0095] The second objective, added to the first, is to be able to meet the desired speed and randomness constraints. In this context, a “physical” random-number generator alone is not enough.

[0096] That is why the present invention associates a physical generator that exploits the phenomenon of metastability associated with the phenomenon of phase noise in order to guarantee a germ with good random number quality with a pseudo-random generator that accelerates the output of germs delivered by the physical generator and also eliminates any possible correlations on output from the physical generator, which isn't perfect.

Annexes

[0097] Below is a cursory description of the FIPS140 and DIEHARD tests successfully passed by the random generator according to the invention.

[0098] 1) The FIBS 140 tests:

[0099] The FIPS 140 tests are performed on a sequence of 20000 bits and comprise:

[0100] a Monobit test: the member of bits at “1” should be such that: 9654<N<10346

[0101] a so-called POKER test: a test that divides the flow of 20000 bits into 5000 contiguous 4-bit streams. For each stream a function f(i) is evaluated, which is equal to the number of times in which the value 0<i<15 appears.

[0102] The following function is then evaluated:

X=(16/5000)*(SUM (f(i)* f(i))) −5000 with 0<i<15

[0103] The test is postive if 1.03<X<57.4

[0104] The Runs test, which counts the number of occurrences of the streams 11 111 1111 00 000 0000 . . .

[0105] The test is positive if for each run length the number of results is within the corresponding interval. Run length Required interval 1 2267-2733 2 1079-1421 3 502-748 4 223-402 5  90-223 >6  90-223

[0106] For further detail, see FIPS PUB 140-1: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES .

[0107] 1) The DIEHARD Tests:

[0108] There are 15 of these tests and all of them are described in this annex. A file containing 80 random Mbits is required in order to pass the tests, and the results are given in the form of numbers 0<p<1.

[0109] The result of the tests depends on the number of values p=1 or p=0 found:

[0110] No value p=1 or p=0 the result of the tests is positive.

[0111] Some values p=1 or p=0 the result of the tests is positive but the random numbers are of average quality.

[0112] The number of consecutive values p=1 or p=0 is >5 in one or more tests  the result of the tests is negative. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    This is the BIRTHDAY SPACING TEST    :: :: Choose m birthdays in a year of n days. List the spacings  :: :: between the birthdays. If j is the number of values that  :: :: occur more than once in that list, then j is asymptotically  :: :: Pisces distributed with mean m{circle over ( )}3/(4n). Experience shows n  :: :: must be quite large, say n>=2{circle over ( )}18, for comparing the results  :: :: to the Pisces distribution with that mean. This test uses  :: :: n=2{circle over ( )}24 and m=2{circle over ( )}9, so that the underlying distribution for j :: :: is taken to be Pisces with lambda=2{circle over ( )}27/(2{circle over ( )}26)=2. A sample  :: :: of 500 j's is taken, and a chi-square goodness of fit test  :: :: provides a p value. The first test uses bits 1-24 (counting :: :: from the left) from integers in the specified file.   :: :: Then the file is closed and reopened. Next, bits 2-25 are :: :: used to provide birthdays, then 3-26 and so on to bits 9-32. :: :: Each set of bits provides a p-value, and the nine p-values  :: :: provide a sample for a KSTEST.     :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    THE OVERLAPPING 5-PERMUTATION TEST    :: :: This is the OPERM5 test. It looks at a sequence of one mill-:: :: ion 32-bit random integers. Each set of five consecutive  :: :: integers can be in one of 120 states, for the 5! possible or-:: :: derings of five numbers. Thus the 5th, 6th, 7th, ...numbers :: :: each provide a state. As many thousands of state transitions :: :: are observed, cumulative counts are made of the number of :: :: occurrences of each state. Then the quadratic form in the  :: :: weak inverse of the 120×120 covariance matrix yields a test :: :: equivalent to the likelihood ratio test that the 120 cell  :: :: counts came from the specified (asymptotically) normal dis-  :: :: tribution with the specified 120×120 covariance matrix (with :: :: rank 99). This version uses 1,000,000 integers, twice.   :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: This is the BINARY RANK TEST for 31×31 matrices. The leftmost :: :: 31 bits of 31 random integers from the test sequence are used :: :: to form a 31×31 binary matrix over the field {0,1}. The rank :: :: is determined. That rank can be from 0 to 31, but ranks<28 :: :: are rare, and their counts are pooled with those for rank 28.:: :: Ranks are found for 40,000 such random matrices and a chisqua-:: :: re test is performed on counts for ranks 31,30,29 and <=28. :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: This is the BINARY RANK TEST for 32×32 matrices. A random 32× :: :: 32 binary matrix is formed, each row a 32-bit random integer. :: :: The rank is determined. That rank can be from 0 to 32, ranks :: :: less than 29 are rare, and their counts are pooled with those :: :: for rank 29. Ranks are found for 40,000 such random matrices :: :: and a chisquare test is performed on counts for ranks 32,31, :: :: 30 and <=29.     :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: This is the BINARY RANK TEST for 6×8 matrices. From each of :: :: six random 32-bit integers from the generator under test, a :: :: specified byte is chosen, and the resulting six bytes form a :: :: 6×8 binary matrix whose rank is determined. That rank can be :: :: from 0 to 6, but ranks 0,1,2,3 are rare; their counts are   :: :: pooled with those for rank 4. Ranks are found for 100,000  :: :: random matrices, and a chi-square test is performed on   :: :: counts for ranks 6,5 and <=4.       :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: THE BITSTREAM TEST :: :: The file under test is viewed as a stream of bits. Call them :: :: b1,b2,... . Consider an alphabet with two “letters”, 0 and 1 :: :: and think of the stream of bits as a succession of 20-letter :: :: “words”, overlapping. Thus the first word is b1b2...b20, the :: :: second is b2b3...b21, and so on. The bitstream test counts :: :: the number of missing 20-letter (20-bit) words in a string of :: :: 2{circle over ( )}21 overlapping 20-letter words. There are 2{circle over ( )}20 possible 20 :: :: letter words. For a truly random string of 2{circle over ( )}21+19 bits, the :: :: number of missing words j should be (very close to) normally :: :: distributed with mean 141,909 and sigma 428. Thus   :: :: (j-141909)/428 should be a standard normal variate (z score) :: :: that leads to a uniform [0,1) p value. The test is repeated :: :: twenty times.         :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    The tests OPSO, OQSO and DNA    :: ::   OPSO means Overlapping-Pairs-Sparse-Occupancy   :: :: The OPSO test considers 2-letter words from an alphabet of  :: :: 1024 letters. Each letter is determined by a specified ten :: :: bits from a 32-bit integer in the sequence to be tested. OPSO :: :: generates 2{circle over ( )}21 (overlapping) 2-letter words (from 2{circle over ( )}21+1  :: :: “keystrokes”) and counts the number of missing words---that :: :: is 2-letter words which do not appear in the entire sequence. :: :: That count should be very close to normally distributed with :: :: mean 141,909, sigma 290. Thus (missingwrds-141909)/290 should :: :: be a standard normal variable. The OPSO test takes 32 bits at :: :: a time from the test file and uses a designated set of ten :: :: consecutive bits. It then restarts the file for the next de- :: :: signated 10 bits, and so on.      :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: OQSO means Overlapping-Quadruples-Sparse-Occupancy   :: :: The test OQSO is similar, except that it considers 4-letter :: :: words from an alphabet of 32 letters, each letter determined :: :: by a designated string of 5 consecutive bits from the test  :: :: file, elements of which are assumed 32-bit random integers. :: :: The mean number of missing words in a sequence of 2{circle over ( )}21 four- :: :: letter words, (2{circle over ( )}21+3 “keystrokes”), is again 141909, with :: :: sigma = 295. The mean is based on theory; sigma comes from :: ::extensive simulation.       :: ::         :: :: The DNA test considers an alphabet of 4 letters:: C,G,A,T,:: :: determined by two designated bits in the sequence of random :: :: integers being tested. It considers 10-letter words, so that:: :: as in OPSO and OQSO, there are 2{circle over ( )}20 possible words, and the :: :: mean number of missing words from a string of 2{circle over ( )}21 (over- :: :: lapping) 10-letter words (2{circle over ( )}21+9 “keystrokes”) is 141909. :: :: The standard deviation sigma=339 was determined as for OQSO :: :: by simulation. (Sigma for OPSO, 290, is the true value (to  :: :: three places), not determined by simulation.     :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: This is the COUNT-THE-1's TEST on a stream of bytes.   :: :: Consider the file under test as a stream of bytes (four per :: :: 32 bit integer). Each byte can contain from 0 to 8 1's,   :: :: with probabilities 1,8,28,56,70,56,28,8,1 over 256. Now let :: :: the stream of bytes provide a string of overlapping 5-letter :: :: words, each “letter” taking values A,B,C,D,E. The letters are :: :: determined by the number of 1's in a byte:: 0,1,or 2 yield A,:: :: 3 yields B, 4 yields C, 5 yields D and 6,7 or 8 yield E. Thus :: :: we have a monkey at a typewriter hitting five keys with vari-:: :: ous probabilities (37,56,70,56,37 over 256). There are 5{circle over ( )}5 :: :: possible 5-letter words, and from a string of 256,000 (over- :: :: lapping) 5-letter words, counts are made on the frequencies  :: :: for each word. The quadratic form in the weak inverse of  :: :: the covariance matrix of the cell counts provides a chisquare :: :: test:: Q5−Q4, the difference of the naive Pearson sums of  :: :: (OBS-EXP){circle over ( )}2/EXP on counts for 5- and 4-letter cell counts.  :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::  This is the COUNT-THE-1's TEST for specific bytes.   :: :: Consider the file under test as a stream of 32-bit integers. :: :: From each integer, a specific byte is chosen, say the left- :: :: most:: bits 1 to 8. Each byte can contain from 0 to 8 1's, :: :: with probability 1,8,28,56,70,56,28,8,1 over 256. Now let :: :: the specified bytes from successive integers provide a string :: :: of (overlapping) 5-letter words, each “letter” taking values :: :: A,B,C,D,E. The letters are determined by the number of 1's, :: :: in that byte:: 0,1,or 2 --->A, 3 --->B, 4 --->C, 5 --->D,:: :: and 6,7 or 8 --->E. Thus we have a monkey at a typewriter :: :: hitting five keys with various probabilities:: 37,56,70,:: :: 56,37 over 256. There are 5{circle over ( )}5 possible 5-letter words, and :: :: from a string of 256,000 (overlapping) 5-letter words, counts :: :: are made on the frequencies for each word. The quadratic form :: :: in the weak inverse of the covariance matrix of the cell  :: :: counts provides a chisquare test:: Q5−Q4, the difference of :: :: the naive Pearson sums of (OBS-EXP){circle over ( )}2/EXP on counts for 5- :: :: and 4-letter cell counts. :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    THIS IS A PARKING LOT TEST     :: :: In a square of side 100, randomly “park” a car---a circle of :: :: radius 1. Then try to park a 2nd, a 3rd, and so on, each  :: :: time parking “by ear”. That is, if an attempt to park a car :: :: causes a crash with one already parked, try again at a new  :: :: random location. (To avoid path problems, consider parking  :: :: helicopters rather than cars.) Each attempt leads to either :: :: a crash or a success, the latter followed by an increment to :: :: the list of cars already parked. If we plot n: the number of :: :: attempts, versus k:: the number successfully parked, we get a:: :: curve that should be similar to those provided by a perfect  :: :: random number generator. Theory for the behavior of such a :: :: random curve seems beyond reach, and as graphics displays are :: :: not available for this battery of tests, a simple characteriz :: :: ation of the random experiment is used: k, the number of cars :: :: successfully parked after n=12,000 attempts. Simulation shows :: :: that k should average 3523 with sigma 21.9 and is very close :: :: to normally distributed. Thus (k-3523)/21.9 should be a st- :: :: andard normal variable, which, converted to a uniform varia- :: :: ble, provides input to a KSTEST based on a sample of 10.  :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    THE MINIMUM DISTANCE TEST     :: :: It does this 100 times:: choose n=8000 random points in a :: :: square of side 10000. Find d, the minimum distance between :: :: the (n{circle over ( )}2−n)/2 pairs of points. If the points are truly inde-:: :: pendent uniform, then d{circle over ( )}2, the square of the minimum distance :: :: should be (very close to) exponentially distributed with mean :: :: .995. Thus 1-exp(−d{circle over ( )}2/.995) should be uniform on [0,1) and :: :: a KSTEST on the resulting 100 values serves as a test of uni- :: :: formity for random points in the square. Test numbers=0 mod 5 :: :: are printed but the KSTEST is based on the full set of 100 :: :: random choices of 8000 points in the 10000×10000 square.  :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    THE 3DSPHERES TEST      :: :: Choose 4000 random points in a cube of edge 1000. At each :: :: point, center a sphere large enough to reach the next closest :: :: point. Then the volume of the smallest such sphere is (very :: :: close to) exponentially distributed with mean 120pi/3. Thus :: :: the radius cubed is exponential with mean 30. (The mean is :: :: obtained by extensive simulation). The 3DSPHERES test gener- :: :: ates 4000 such spheres 20 times. Each min radius cubed leads :: :: to a uniform variable by means of 1-exp(−r{circle over ( )}3/30.), then a  :: :: KSTEST is done on the 20 p-values.       :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::   This is the SQEEZE test     :: :: Random integers are floated to get uniforms on [0,1). Start- :: :: ing with k=2{circle over ( )}31=2147483647, the test finds j, the number of :: :: iterations necessary to reduce k to 1, using the reduction :: :: k=ceiling(k*U), with U provided by floating integers from :: :: the file being tested. Such j's are found 100,000 times,  :: :: then counts for the number of times j was <=6,7,...,47,>=48 :: :: are used to provide a chi-square test for cell frequencies. :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::    The OVERLAPPING SUMS test    :: :: Integers are floated to get a sequence U(1),U(2),... of uni- :: :: form [0,1) variables. Then overlapping sums,   :: :: S(1)=U(1)+...+U(100), S2=U(2)+...+U(101),... are formed.  :: :: The S's are virtually normal with a certain covariance mat- :: :: rix. A linear transformation of the S's converts them to a :: :: sequence of independent standard normals, which are converted :: :: to uniform variables for a KSTEST. The p-values from ten :: :: KSTESTs are given still another KSTEST.    :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::  This is the RUNS test. It counts runs up, and runs down, :: :: in a sequence of uniform [0,1) variables, obtained by float- :: :: ing the 32-bit integers in the specified file. This example :: :: shows how runs are counted: .123,.357,.789,.425,.224,.416,.95:: :: contains an up-run of length 3, a down-run of length 2 and an :: :: up-run of (at least) 2, depending on the next values. The :: :: covariance matrices for the runs-up and runs-down are well :: :: known, leading to chisquare tests for quadratic forms in the :: :: weak inverses of the covariance matrices. Runs are counted :: :: for sequences of length 10,000. This is done ten times. Then :: :: repeated.       :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: This is the CRAPS TEST. It plays 200,000 games of craps, finds:: :: the number of wins and the number of throws necessary to end :: :: each game. The number of wins should be (very close to) a :: :: normal with mean 200000p and variance 200000p(1-p), with  :: :: p=244/495. Throws necessary to complete the game can vary :: :: from 1 to infinity, but counts for all>21 are lumped with 21. :: :: A chi-square test is made on the no.-of-throws cell counts. :: :: Each 32-bit integer from the test file provides the value for:: :: the throw of a die, by floating to [0,1), multiplying by 6 :: :: and taking 1 plus the integer part of the result.    :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: NOTE: Most of the tests in DIEHARD return a p-value, which should be uniform on [0,1) if the input file contains truly independent random bits. Those p-values are obtained by p=F(X), where F is the assumed distribution of the sample random variable X---often normal. But that assumed F is just an asymptotic approximation, for which the fit will be worst in the tails. Thus you should not be surprised with occasional p-values near 0 or 1, such as .0012 or .9983. When a bit stream really FAILS BIG, you will get p's of 0 or 1 to six or more places. By all means, do not, as a Statistician might, think that a p < .025 or p> .975 means that the RNG has “failed the test at the .05 level”. Such p's happen among the hundreds that DIEHARD produces, even with good RNG's. So keep in mind that “p happens”. 

1. High-speed random number generator (1) comprising a physical random number generator (5), and whose data input corresponds to the data input of the physical generator (5), and a pseudo-random generator (6) coupled to the output of the physical generator (5) that receives through its input a germ delivered by the physical generator, said physical generator (5) comprising a logic circuit (10) that includes at least a data input (D) and a clock input (CLK), the data input (D) receiving a “high frequency” clock signal H1 and the clock input (CLK) receiving a second “low frequency” clock signal H2, the “high frequency” signal H1 being sampled by the “low frequency” signal H2, the two clock signals H1 and H2 of different frequencies respectively issuing from two different oscillators (OSC1 and OSC2) operating asynchronously from one another and not adhering to the setup time of the logic circuit (10), the output of the circuit (10) delivering a signal in an intermediate state qualified as metastable between “0” and “1 ” and being constituted by a random number sequence, the metastability of the signal obtained as output from the circuit (1.0) being accentuated by the phase noise from the oscillator (OSC1) generating the “high frequency” signal H1, said random number generator (1) being characterized in that the pseudo-random generator (6) re-injects part of its pseudo-random output signal into the physical generator (5) and in that it includes an internal memory (9) that stores the random numbers obtained as output from the pseudo-random generator (6); the two generators (5) and (6) running on the same second “high frequency” clock signal H generated by an external oscillator (7).
 2. Random number generator according to claim 1, characterized in that the physical generator (5) includes a block (11) which, from the “high frequency” clock signal H generated by the external oscillator (7), generates the “low frequency” clock signal H2, which samples the input signal of the physical generator (5).
 3. Random number generator according to claim 2, characterized in that part of the signal output from the pseudo-random generator is re-injected into the block (11) that generates the “low frequency” signal, in order to force the variability of the period of the “low frequency” signal.
 4. Random number generator according to claim 3, characterized in that the physical generator (5) includes a shift register (13) that receives in its clock input (CLK) the “low frequency” signal H2 generated by the block (11) and receives in its data input the signal output from the latch-type logic circuit (10), the shift register (13) delivering through its output the germ that feeds the pseudo-random generator (6).
 5. Random number generator according to claim 4, characterized in that the physical generator (5) also includes an “exclusive OR” logic gate (12), coupled between the latch-type logic circuit (10) and the shift register (13), and receiving in a first input the signal output from W the logic circuit (10), and in a second input a bit of the signal output from the pseudo-random generator (6), in order to compensate for a possible failure of the physical generator (5).
 6. Random number generator according to claim 5, characterized in that the physical generator (5) includes a counter (14) that receives in its input the “low frequency” clock signal H2, and whose output signal controls the renewal rate of the germ in the pseudo-random generator (6).
 7. Random number generator according to any of claims 1 through 6, characterized in that it also includes a test module (15) coupled to the input of the physical generator (5) that receives as input the “high frequency” signals H and H1 and delivers as output an error signal in case of a malfunction of the oscillator delivering the “high frequency” signal H1, which invalidates the output of the physical generator (5) by forcing the writing of zeros into the internal memory (9).
 8. Random number generator according to any of the preceding claims, characterized in that the pseudo-random generator (6) implements an algorithm of the multiply-with-carry type.
 9. Random number generator according to any of claims 2 through 8, characterized in that it is made entirely from an FPGA component.
 10. Mechanism for generating random numbers on demand, characterized in that it comprises a random number generator (1) according to any of claims 1 through 9, a dual-port memory (3) including a receiving buffer (3 ₁), coupled to the output of the generator (1) via the bus of the generator (1), and in that it includes a microprocessor (2) coupled to the dual-port memory (3) via the microprocessor bus, communicating with the generator (1) via the dual-port memory (3) and posting in the dual-port memory (3) a command word comprising an address and a count containing a maximum number of random words to be stored, and in that the buffer (3 ₁) of the dual-port memory (3), at the request of the microprocessor (2), is fed by the internal memory (9) of the generator (1) until a count corresponding to a given maximum number of random numbers has elapsed, then utilized by the microprocessor (2).
 11. Card for accelerating the cryptographic functions of a computing machine, characterized in that it supports a random generator according to any of claims 1 through
 9. 12. Card for accelerating the cryptographic functions of a computing machine, a characterized in that it supports a mechanism according to claim
 10. 